# Quickstart: Quality Gates / No-Legacy Enforcement ## Purpose Use this guide to review or implement Feature `288` as the bounded enforcement layer that follows Spec `287`. ## Preconditions - The package stays limited to: - no-legacy guard tests - route emission guards - forbidden legacy route/path checks - forbidden tenant-panel helper checks - provider-core forbidden seam checks - environment-scope role-authority guard checks - quality-gate documentation - targeted browser smoke gates - full-suite baseline classification only, not full-suite repair - Package Execution Contract remains deferred to Spec `289`. - The implementation does not reopen runtime cutover, provider-core rewrites, RBAC rewrites, Guided Operations, UI copy cleanup, Review Pack export work, or a full-suite repair program. - Filament remains v5 on Livewire v4 and provider registration remains in `apps/platform/bootstrap/providers.php`. ## Read Order 1. `spec.md` 2. `plan.md` 3. `research.md` 4. `data-model.md` 5. `contracts/quality-gates-no-legacy-enforcement.logical.openapi.yaml` 6. `tasks.md` 7. `checklists/requirements.md` ## Implementation Intent - add bounded no-legacy and route-emission guards instead of reopening route migration work - add bounded provider-core and role-authority guards instead of rewriting provider-core or RBAC - keep browser proof on the existing Spec `281` and Spec `285` smoke anchors - document the quality-gate contract and the rule that broader baseline fallout is classified only under this spec - keep Spec `289` as the explicit follow-up for Package Execution Contract work ## Review Scenarios ### Scenario 1: Retired management routes and helper patterns fail fast - introduce or simulate a retired route/path or helper token on an owned seam - run the targeted guard suite - confirm the failure message names the offending path or helper pattern explicitly ### Scenario 2: Provider-core seams stay provider-neutral and role authority stays workspace-owned - run the targeted provider-boundary and role-authority proof set - confirm platform-core seams do not reintroduce provider-specific request shaping or binding truth - confirm wrong-scope `404`, in-scope `403`, and direct role-edit rejection semantics remain intact ### Scenario 3: Browser proof still reflects canonical visible continuity - run the two targeted browser smoke tests - confirm the provider-connection and workspace/environment drill-down flows render their canonical route continuity - confirm the browser suite reports no JavaScript or console errors ### Scenario 4: Broader baseline fallout stays classification-only - review the contributor-facing quality-gate docs and any changed report/manifest wording - confirm the package classifies wider baseline fallout without taking ownership of unrelated repair work ## Planned Validation Commands ```bash export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail artisan test --compact tests/Feature/Guards/Spec288NoLegacyRouteAndHelperGuardTest.php tests/Feature/Guards/Spec288ProviderCoreAndRoleAuthorityGuardTest.php tests/Feature/Guards/AdminWorkspaceRoutesGuardTest.php tests/Feature/Guards/ProviderBoundaryPlatformCoreGuardTest.php tests/Feature/ProviderConnections/LegacyRedirectTest.php tests/Feature/ManagedEnvironment/LegacyTenantCoreGuardTest.php tests/Feature/Spec080WorkspaceManagedTenantAdminMigrationTest.php tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php tests/Feature/Filament/ManagedEnvironmentAccessScopeManagementTest.php tests/Feature/Guards/BrowserLaneIsolationTest.php tests/Feature/Guards/CiLaneFailureClassificationContractTest.php tests/Feature/Guards/CiHeavyBrowserWorkflowContractTest.php tests/Unit/Auth/NoRoleStringChecksTest.php) ``` ```bash export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail artisan test --compact tests/Browser/Spec281ProviderConnectionScopeSmokeTest.php tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php) ``` ```bash export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && REPO_ROOT="$(git rev-parse --show-toplevel)" && (cd "$REPO_ROOT/apps/platform" && ./vendor/bin/sail bin pint --dirty --format agent) ``` ## Explicit Stop Conditions - If implementation starts repairing unrelated full-suite failures, stop and split that work out of `288`. - If implementation starts reopening runtime cutover, provider-core rewrite, RBAC rewrite, or product-surface cleanup, stop and split the extra work out of `288`. - If implementation starts absorbing Package Execution Contract work, stop and move that work to Spec `289`.